The speed of containers, the security of VMs

Xu Wang, Hyper <xu@hyper.sh>Samuel Ortiz, Intel <samuel.ortiz@intel.com>

*

*Other names and brands may be claimed as the property of others.

Contents Project Overview

Technical Details

Get Involved

History

Intel® Clear Containers

May 2015 Dec 2017*Other names and brands may be claimed as the property of others.

*

Technical Vision

● Light and fast VM-based containers● Merge Intel® Clear Containers and Hyper runV technologies● Seamless integration with Kubernetes (CRI), Docker and Openstack● Support multiple architectures (x86 today; others to come in the future)● Support multiple hypervisors (KVM today; others to come in the future)

Multi ArchitectureMulti HypervisorFull HotplugK8s Multi TenancyVM templatingFrakti native supportTraffic Controller net

Direct Device AssignmentSRIOVNVDIMMMulti-OSKSM throttlingCRI-O native supportMacVTap, multi-queue net

Intel® Clear Containers

Non-Technical Goals

● Open and vendor-neutral project● All VM based containers, users and consumers under the same project● Managed at the OpenStack Foundation*● Independent from the OpenStack* software project

*Other names and brands may be claimed as the property of others.

Containers in Cloud

App A

Middleware A

App B

Middleware B

Linux* Kernel

App C

Middleware C

Server Hardware

Container A Container B Container C

Virtual MachineLinux Kernel*Other names

and brands may be claimed as the property of others.

Hypervisor Based Containers

App A

Middleware A

Linux* KernelServer Hardware

Container A Container B Container C

Linux Kernel A

Virtual Machine

App B

Middleware B

Linux Kernel B

Virtual Machine

App C

Middleware C

Linux Kernel C

Virtual Machine

● Each container/pod is hypervisor isolated

● As secure as a VM● As fast as a container● Seamless integration

with the container ecosystem and management layers

*Other names and brands may be claimed as the property of others.

Speed

Isolation

Technical Details

Hypervisor

Shim

Proxy

Agent

Kernel

Virtual Machine

Runtime

I/O OCI cmd/spec

gRPC over Yamux

gRPC gRPC

Shim

Container namespaces

ContainerCommand

ContainerExec

Hypervisor serial interface*Other names and brands may be claimed as the property of others.

Hypervisor

Shim Agent

Kernel

Virtual Machine

Runtime

I/O OCI cmd/spec

gRPC

gRPCShim

Container namespaces

ContainerCommand

ContainerExec

Hypervisor VSOCK socket*Other names and brands may be claimed as the property of others.

Fast as a Container

Create Start

VM Boot Kernel Agent Start Pod

Prepare container Image

Prepare Volumes

$ kubectl apply -f nginx.yml

hotplug

Small as a Container

● Minimize memory footprint○ Minimal rootfs○ Minimal kernel○ VM Template○ DAX/nvdimm

● De-duplicate memory across VMs○ KSM (with throttling)

MacVTAP

Networking

Virtual Machine

PodTap

Container networking namespace

Kubernetes*OverlayNetwork

veth pair

*Other names and brands may be claimed as the property of others.

Networking

Virtual Machine

PodTap

Container networking namespace

Kubernetes*OverlayNetwork

veth pair tc mirror

*Other names and brands may be claimed as the property of others.

Storage

Virtual Machine

Container 1RootfsOverlay

Volume

Volume

Container 2RootfsOverlay

9pfs/virtio-blk9pfs/virtio-blk

9pfs/virtio-blk

9pfs/virtio-blk

Multi-tenant Kubernetes*

k8s k8s

IaaS

containercontainerPod

VM

containercontainerPod

VM

containercontainerPod

VM

containercontainerPod

VM

CaaS

Pod

VM

k8s

Pod

VM

Pod

VM

Pod

VM

Pod

VM

Pod

VM

Pod

VM

Pod

VM

*Other names and brands may be claimed as the property of others.

Demo: Stackube - K8S with Hard Multi-tenancy

k8s Node

kubelet

frakti (runtime shim)

CNI

Keystone(Tenant mgmt)

Cinder(Persistent Volume)

Neutron(L2 Isolated Network)

k8s Master

kube-apiserver

Tenant (CRD)

Network (CRD)

kubectl

What’s Next?

1H’2018 Horizon

● 1.0 Release (parity with RunV and CC 3.0 with upgrade path)● CRI integration: Frakti, CRI-O, containerd-cri● OCI runtime spec support for hypervisor based containers● OSV support● Documented case studies

Get Involved

Contribute

● Code and documentation hosted on https://github.com/kata-containers/

● Major releases managed through Github* Projects

● Intel (Intel® Clear Containers) & Hyper (runV) contributing initial IP

● Apache 2 license

● Slack: katacontainers.slack.com

● IRC: #kata-dev@freenode

● Mailing-list: kata-dev@lists.katacontainers.io

*Other names and brands may be claimed as the property of others.

Where To Contribute?

Role Language Upstream version Host/Guest

Shim I/O and signal handling between the host and the VM Go N/A Host

Proxy I/O and signal multiplexing (optional, serial connection) Go N/A Host

Runtime OCI commands handling. VM, shim, and proxy startup Go N/A Host

QEMU Hypervisor C 2.9 Host

Agent Guest containers manager Go N/A Guest

Guest Kernel Boot to systemd/Boot initrd C 4.13.13 Guest

Guest image Minimal Linux root filesystem that starts the agent N/A Pick your image Guest

Open Governance

● Contributors

○ At least one github contribution for the past 12 months

● Maintainers

○ Active contributor, nominated by fellow maintainers

○ Can merge code

● Architecture Committee

○ Take high level architecture and roadmap decisions

○ 5 seats, elected by contributors

Thank you!

Disclaimer

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.*Other names and brands may be claimed as the property of others.© Intel Corporation